From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=B3vr=LB=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 47A20C47095
	for <linux-arm-kernel@archiver.kernel.org>; Mon,  7 Jun 2021 13:59:54 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 16FF261185
	for <linux-arm-kernel@archiver.kernel.org>; Mon,  7 Jun 2021 13:59:54 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 16FF261185
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arndb.de
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From:
	In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=arxgzxgxm0fmtKGYU7wviS0ma4oZHBLGGm788BxBca4=; b=WWHqScG8y6TjH2
	ne9YB4i2GarJsyizVYdDNiWt4wurlaX4tDMLwuBbKtwJLB9NOQXwcpM6jCiKInuFGWIb0r6tay6+U
	fcoykCXekTJKFXWy5ujeCozK4VFPEGgCdtzylJGU023bcBRI3xsu98uSXUm9a/UhZJV6MnyQLfy6P
	CidalFB3lGxDma5FYmjTw0vUzd+LQcGzzcY+bZuSURM7mCkvMiRpUYhQv6bCvUqqI01Q+og3QZYll
	SVPOA/ra24YvHuVjXfdBlTixTbn5mfVI19wt6R+e4nX8VFfyUsygPCuH/Onyt+eHow+CWgwgNtmQq
	UFUiVat+q3mPhP6Cqikg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1lqFlc-003wtZ-Bt; Mon, 07 Jun 2021 13:58:12 +0000
Received: from mout.kundenserver.de ([217.72.192.74])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1lqFlU-003wrh-NZ
 for linux-arm-kernel@lists.infradead.org; Mon, 07 Jun 2021 13:58:09 +0000
Received: from mail-ot1-f43.google.com ([209.85.210.43]) by
 mrelayeu.kundenserver.de (mreue107 [213.165.67.113]) with ESMTPSA (Nemesis)
 id 1MulVd-1lYaOA3i0h-00rnBa for <linux-arm-kernel@lists.infradead.org>; Mon,
 07 Jun 2021 15:58:02 +0200
Received: by mail-ot1-f43.google.com with SMTP id
 q5-20020a9d66450000b02903f18d65089fso563960otm.11
 for <linux-arm-kernel@lists.infradead.org>;
 Mon, 07 Jun 2021 06:57:59 -0700 (PDT)
X-Gm-Message-State: AOAM532IwQz1qprXoZyTtuCTc6MoDgPuC04G0oqlavB5YgICiAfcPyoK
 SOhF3+2cEPh1DW+XSa16xv/+Lb3jSOuMnU947hA=
X-Google-Smtp-Source: ABdhPJydOeOtoQqFpT/fRufwtUr7e1TKinNi8QFaK44JSPLHq7mHKgvKVkKJVcpFiP70MOJfu3Lh+UrlwI7IH0InKDo=
X-Received: by 2002:a9d:6acb:: with SMTP id m11mr10400045otq.246.1623074278174; 
 Mon, 07 Jun 2021 06:57:58 -0700 (PDT)
MIME-Version: 1.0
References: <20210527124356.22367-1-will@kernel.org>
 <CGME20210602132541eucas1p17127696041c26c00d1d2f50bef9cfaf0@eucas1p1.samsung.com>
 <4d0c8318-bad8-2be7-e292-fc8f70c198de@samsung.com>
 <20210602135123.GD12753@C02TD0UTHF1T.local>
 <130ce34f-460a-0046-f722-00144f2d5502@samsung.com>
 <20210604100114.GC64162@C02TD0UTHF1T.local>
 <0d10411d-49fe-fbca-0479-e2983af16aa8@samsung.com>
 <20210607120118.GC97489@C02TD0UTHF1T.local>
 <20210607130859.GD97489@C02TD0UTHF1T.local>
 <20210607133953.GB7330@willie-the-truck>
In-Reply-To: <20210607133953.GB7330@willie-the-truck>
From: Arnd Bergmann <arnd@arndb.de>
Date: Mon, 7 Jun 2021 15:57:41 +0200
X-Gmail-Original-Message-ID: <CAK8P3a0sj0qtC0VpQv4+Ah-C8jyZaGgfqsx326mChuW+e5mvrQ@mail.gmail.com>
Message-ID: <CAK8P3a0sj0qtC0VpQv4+Ah-C8jyZaGgfqsx326mChuW+e5mvrQ@mail.gmail.com>
Subject: Re: [PATCH] arm64: cache: Lower ARCH_DMA_MINALIGN to 64
 (L1_CACHE_BYTES)
To: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>, emma@anholt.net, mripard@kernel.org, 
 Marek Szyprowski <m.szyprowski@samsung.com>,
 linux-arm-kernel@lists.infradead.org, 
 kernel-team@android.com, Catalin Marinas <catalin.marinas@arm.com>, 
 Ard Biesheuvel <ardb@kernel.org>,
 Vincent Whitchurch <vincent.whitchurch@axis.com>, 
 Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
 dri-devel <dri-devel@lists.freedesktop.org>
X-Provags-ID: V03:K1:VYZ5iRBU3UrfiJDsc7FeMCI7HBuDktYryx5fJcjBv/B1jvdwhdJ
 fDzVJRbMHwBe5Gpiql+XrJDGM0smCah59Gv5sqhrkKGldKHwDXwDW9YuESC3qsfUpTEzkck
 C200gf84ndHd5FzQ1WYbU8caBiQN9GobfWsRzw+FXVG5yVksA8Wk4ma4GGKzFhJNOhLcVBD
 s4OCdDh0y8goTqvttPvmQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:m2KcXhpFZCg=:2DGzcipMp6NHL49BWQhvZC
 NKtMuT/7l2zP1AvWcZxdgW/TR7Iic89jkut85JZbDvWTdkbjxtX827Mv9a47E7zuUecREAUAo
 KDndW74GepJS2TI1pEWTHJkCgbj0QIQOLgnpuNHdUhoQI1u/5kMXnt+ecqKY0UTfLIL7s1K5f
 8I38yhvE4CI+R2c5lvatBbvSpsnk/g5gMbCsnbBSxjoBWaXio/5c6PDHlts8jhPlz3DkY9jxR
 dZMopuo2gsBlrHvzuS+SoVXrKyf/utLZJQOXetdjyrqglCCY5cQLNqYdytx4Ysgvrp6oyy3w+
 np0iuziF15e0yQczv0JtFpt8x7Q0nJwwFQvFEvPuJ8J5hk+NJtHn5rMJilJ7ciOWhy2yUy9w7
 hSgln/7YSjjeu85rLuhqFwu9Sqblfz7M86N7sAz0DNUTfZKS9zYe++2uIVgXriL3t42G6qEid
 +wubokZ08B5fZC8xL6ool2ueVyOBtsghIEdNCpQySwxna2ZiaDit+uWVyMVo6+68qiVw0Agkx
 fmsStNXkRJ5+O8XgYK5Xb3ZOF2HbmzuUJua6L6gb9RY6B6XPOQXuFhEwmXCkUFCMwM84y7PX0
 s5PmBeMFhhJ9+tNFbn51cMop7yZGTfV/LqCsT50lDb5hUI3oh4rvvJCW9UmN+KD7QMscngW/E
 pxlQ=
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210607_065805_087173_FC9434A0 
X-CRM114-Status: GOOD (  18.59  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Mon, Jun 7, 2021 at 3:39 PM Will Deacon <will@kernel.org> wrote:
>
> [Adding VC4 folks -- please see the KASAN splat below!]
>
> Background here is that reducing ARCH_DMA_MINALIGN to 64 on arm64 (queued in
> -next) is causing vc4 to hang on Rpi3b due to a probable driver bug.

The great news for the patch that caused it is that this has nothing to
do with DMA alignment.

> On Mon, Jun 07, 2021 at 02:08:59PM +0100, Mark Rutland wrote:
> > On Mon, Jun 07, 2021 at 01:01:18PM +0100, Mark Rutland wrote:
> > > On Mon, Jun 07, 2021 at 11:58:32AM +0200, Marek Szyprowski wrote:

> > [    3.728042] BUG: KASAN: slab-out-of-bounds in vc4_atomic_commit_tail+0x1cc/0x910
> > [    3.728123] Read of size 8 at addr ffff000007360440 by task kworker/u8:0/7

This is offset 0x40 into struct vc4_hvs_state, which is the
'pending_commit' pointer
for the array index 4, i.e. one after the end of the structure.

> > [    3.728495]  kasan_report+0x1dc/0x240
> > [    3.728529]  __asan_load8+0x98/0xd4
> > [    3.728565]  vc4_atomic_commit_tail+0x1cc/0x910

It seems to be this loop:

        for_each_old_crtc_in_state(state, crtc, old_crtc_state, i) {
                struct vc4_crtc_state *vc4_crtc_state =
                        to_vc4_crtc_state(old_crtc_state);
                unsigned int channel = vc4_crtc_state->assigned_channel;
                int ret;

                if (channel == VC4_HVS_CHANNEL_DISABLED)
                        continue;

                if (!old_hvs_state->fifo_state[channel].in_use)
                        continue;

                ret =
drm_crtc_commit_wait(old_hvs_state->fifo_state[i].pending_commit);
                if (ret)
                        drm_err(dev, "Timed out waiting for commit\n");
        }

I notice that it checks index 'fifos_state[channel].in_use', but then
uses a different index 'i' for looking at the 'pending_commit' field
beyond the end of the array.

This code was introduced by Maxime Ripard in commit 9ec03d7f1ed3
 ("drm/vc4: kms: Wait on previous FIFO users before a commit").

    Arnd

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=RpG4=LB=lists.freedesktop.org=dri-devel-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 04CBDC47094
	for <dri-devel@archiver.kernel.org>; Mon,  7 Jun 2021 13:58:04 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id BEE6461107
	for <dri-devel@archiver.kernel.org>; Mon,  7 Jun 2021 13:58:03 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BEE6461107
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arndb.de
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 2E3636E507;
	Mon,  7 Jun 2021 13:58:03 +0000 (UTC)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131])
 by gabe.freedesktop.org (Postfix) with ESMTPS id C87C56E507
 for <dri-devel@lists.freedesktop.org>; Mon,  7 Jun 2021 13:58:01 +0000 (UTC)
Received: from mail-ot1-f41.google.com ([209.85.210.41]) by
 mrelayeu.kundenserver.de (mreue011 [213.165.67.97]) with ESMTPSA (Nemesis) id
 1MPGBR-1m0W5a30tZ-00Pard for <dri-devel@lists.freedesktop.org>; Mon, 07 Jun
 2021 15:57:59 +0200
Received: by mail-ot1-f41.google.com with SMTP id
 5-20020a9d01050000b02903c700c45721so15699110otu.6
 for <dri-devel@lists.freedesktop.org>; Mon, 07 Jun 2021 06:57:59 -0700 (PDT)
X-Gm-Message-State: AOAM532Jg0aF0oyE2KGPIPlbyxY4iOdNBNLH/Fd1DJYfH2MTUYr/Z0yq
 G6hVlXE3Sqj7NwqRyvM3Egf/v6P8vugI5IFF7o4=
X-Google-Smtp-Source: ABdhPJydOeOtoQqFpT/fRufwtUr7e1TKinNi8QFaK44JSPLHq7mHKgvKVkKJVcpFiP70MOJfu3Lh+UrlwI7IH0InKDo=
X-Received: by 2002:a9d:6acb:: with SMTP id m11mr10400045otq.246.1623074278174; 
 Mon, 07 Jun 2021 06:57:58 -0700 (PDT)
MIME-Version: 1.0
References: <20210527124356.22367-1-will@kernel.org>
 <CGME20210602132541eucas1p17127696041c26c00d1d2f50bef9cfaf0@eucas1p1.samsung.com>
 <4d0c8318-bad8-2be7-e292-fc8f70c198de@samsung.com>
 <20210602135123.GD12753@C02TD0UTHF1T.local>
 <130ce34f-460a-0046-f722-00144f2d5502@samsung.com>
 <20210604100114.GC64162@C02TD0UTHF1T.local>
 <0d10411d-49fe-fbca-0479-e2983af16aa8@samsung.com>
 <20210607120118.GC97489@C02TD0UTHF1T.local>
 <20210607130859.GD97489@C02TD0UTHF1T.local>
 <20210607133953.GB7330@willie-the-truck>
In-Reply-To: <20210607133953.GB7330@willie-the-truck>
From: Arnd Bergmann <arnd@arndb.de>
Date: Mon, 7 Jun 2021 15:57:41 +0200
X-Gmail-Original-Message-ID: <CAK8P3a0sj0qtC0VpQv4+Ah-C8jyZaGgfqsx326mChuW+e5mvrQ@mail.gmail.com>
Message-ID: <CAK8P3a0sj0qtC0VpQv4+Ah-C8jyZaGgfqsx326mChuW+e5mvrQ@mail.gmail.com>
Subject: Re: [PATCH] arm64: cache: Lower ARCH_DMA_MINALIGN to 64
 (L1_CACHE_BYTES)
To: Will Deacon <will@kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Provags-ID: V03:K1:xScahNPjcRIljAPJeTsxjzdF4OvPdhRsihaKvFBPpTQuyiuxzWl
 gIPXtnPfWu6NQ44j3+LvHLf+/vJQucvRFDMz76RN4N8AEkWfsMC+zsuq4tECd90D6NOcM69
 5mAZOrtgHya8Vq2TG5Ys20yGfcpAvyk301KhHczT+kclppUhyowyPFZGx0yt5oiPXXFUoZr
 WR09iftzj3C+vbJKz+SEA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:ywYq+XlEfCY=:Joodvx0RB5xI2T6zvYA5sQ
 ZiGvePEeFib+XVUu3DjkqiG1zxn8v0JMZfptmKNlYsLYiBffospGtvjzKQ4q5pXuuzTL5th1H
 DPwnLQmb6sHRg4/dEt4vl0Eoy5McT+hucS9G7HSJIrQCz8wBeHGguMhiH1Ygwc9cXPyKWYp1l
 qRx5J5Zyk2wJyBYalfg6a0R+HfB+wA979UxBqPWvlA+AgWc5YxDDhxfWSHCQs2Q0pQ96yMAJ5
 XiiXb/W/n/QhHgwj3/f/f3OFYs+HW+768V+RNRCZ12lACqyZcITa8mqifNOutjaHy5b7VLljv
 KfAtikce91pM1Ksy5OMF9ziozDX6X5WMIGbubR6XZtxPZ5kxSyO1YVdJ70CqX7l2Qj3iVvlTx
 74NefXy9ocgDtg9Ex9J7tkbT8ISq0oQknghgI7nIbUcQc/G1qgLSCoqd5FMQ4OAkuv23wytlj
 yLPwnOcuo5L8UX33hiJFuArBW9k4NA8EQWdw6a/Edchxxiw/pTSgJmsCVLTk7TWNFb7fFPaoY
 C9/LwZPpzbFf67vUFyAfFB/QbEwpCWW8w+/tMT1VeEkkaS3p6Yc34ArP+p9DqiOXGIELlu1dD
 uwOhu+MTx1WLN64+wnByD1egJQlBC+iuuWykUWpBd+TgJcwshNd0e9AJUXrmkFZZNqjoQvWbV
 SySA=
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Mark Rutland <mark.rutland@arm.com>, emma@anholt.net,
 Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
 Vincent Whitchurch <vincent.whitchurch@axis.com>,
 dri-devel <dri-devel@lists.freedesktop.org>, kernel-team@android.com,
 Ard Biesheuvel <ardb@kernel.org>, linux-arm-kernel@lists.infradead.org,
 Marek Szyprowski <m.szyprowski@samsung.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

On Mon, Jun 7, 2021 at 3:39 PM Will Deacon <will@kernel.org> wrote:
>
> [Adding VC4 folks -- please see the KASAN splat below!]
>
> Background here is that reducing ARCH_DMA_MINALIGN to 64 on arm64 (queued in
> -next) is causing vc4 to hang on Rpi3b due to a probable driver bug.

The great news for the patch that caused it is that this has nothing to
do with DMA alignment.

> On Mon, Jun 07, 2021 at 02:08:59PM +0100, Mark Rutland wrote:
> > On Mon, Jun 07, 2021 at 01:01:18PM +0100, Mark Rutland wrote:
> > > On Mon, Jun 07, 2021 at 11:58:32AM +0200, Marek Szyprowski wrote:

> > [    3.728042] BUG: KASAN: slab-out-of-bounds in vc4_atomic_commit_tail+0x1cc/0x910
> > [    3.728123] Read of size 8 at addr ffff000007360440 by task kworker/u8:0/7

This is offset 0x40 into struct vc4_hvs_state, which is the
'pending_commit' pointer
for the array index 4, i.e. one after the end of the structure.

> > [    3.728495]  kasan_report+0x1dc/0x240
> > [    3.728529]  __asan_load8+0x98/0xd4
> > [    3.728565]  vc4_atomic_commit_tail+0x1cc/0x910

It seems to be this loop:

        for_each_old_crtc_in_state(state, crtc, old_crtc_state, i) {
                struct vc4_crtc_state *vc4_crtc_state =
                        to_vc4_crtc_state(old_crtc_state);
                unsigned int channel = vc4_crtc_state->assigned_channel;
                int ret;

                if (channel == VC4_HVS_CHANNEL_DISABLED)
                        continue;

                if (!old_hvs_state->fifo_state[channel].in_use)
                        continue;

                ret =
drm_crtc_commit_wait(old_hvs_state->fifo_state[i].pending_commit);
                if (ret)
                        drm_err(dev, "Timed out waiting for commit\n");
        }

I notice that it checks index 'fifos_state[channel].in_use', but then
uses a different index 'i' for looking at the 'pending_commit' field
beyond the end of the array.

This code was introduced by Maxime Ripard in commit 9ec03d7f1ed3
 ("drm/vc4: kms: Wait on previous FIFO users before a commit").

    Arnd